Cyberattacks targeting South Africa: expensive lessons to be learnt

On a daily basis, headlines across all media platforms report on the rampant increase of cybercrime

by

Catherine Berry

|

Camargue Underwriting Managers

|

March 26, 2018

On a daily
basis, headlines across all media platforms report on the rampant increase of
cybercrime. Discussions regarding cyber
security in respect of national resources and assets abound, with fears of
nuclear plants and power grids being targeted by cyber criminals. Television
crime series’ plots see the hacking of personal devices such as pace makers and
GPS devices. Sci-fi movies are filled with artificial intelligence, not only threatening
everyday jobs, but turning on humanity. But that’s obviously all just scare
tactics and Hollywood scripts. South Africa is removed from these headline
horrors of data theft, of cyber warfare and all things AI. Aren’t we?

One of the
largest contributing factors to this idealism, is that the Protection of
Personal Information Act is not fully effective yet. The impact of this is that
South African breaches or denial of service attacks do not have to be reported,
nor made public. It is only natural that the custodians of compromised data
would be loath to voluntarily publicize their failure at protecting their
clients’ personal information. Such a publication would attract media and
public scrutiny, tarnishing the organisation’s reputation for an indeterminable
period, if not forever. This shroud of shame would be accompanied with a
devaluation of the company’s value, and that is not even considering a
potential class action suit levied against the organisation. The [self-funding]
regulator would most certainly seek to impute its powers in imposing a fine [of
up to R10m]. This cost would be over and above the costs incurred with having
to advise the organisation’s database of the data breach. The company would
surely be expected to assist with implementing risk management measures to
avoid identity theft of their customers, caused by the breach. Thus, there are
very few cyberattacks [on South African companies] which are publicized.

A September 2017
article featured on www.techfinancials.co.za
advises that, in 2016, South Africa was ranked at 58 on the list of 117
countries suffering the most cyberattacks. South Africa now holds the 31st
position on this list, with an estimated R50 billion been lost due to these
attacks.

WannaCry was
considered the largest virus attack of 2017, infecting between 400,000 to 1
million devices worldwide. Cyber security firm Check Point (Massive cyberattacks slated for 2018 will
make Petya WannaCry) anticipate 2018 seeing new better-coordinated attacks,
dwarfing Petya and WannaCry, which cost South African and global companies
millions. Distributed Denial of Service attacks such as that against domain
directory service DynDNS which caused an internet outage in 2016, affecting users
of large web businesses such as Netflix and Amazon, are indicative of the
impact which attacks on critical infrastructure can cause.

As reported in
the Ponemon Institute’s 2017 Cost of Data
Breach Study: Global Overview, organisations in South Africa have a 41%
probability of experiencing a material data breach (involving 10,000 records or
more) over the next 24 months. 40% of South African breaches studied over the
two year period were due to malicious attacks, with the average number of
records compromised being 19,800.

In the Ponemon
Institute’s 2017 Cost of Data Breach
Study: South Africa, the study revealed that the average cost of a data
breach was R32m, equating to R1,632 per capita. R809 of the latter figure is in
respect of direct costs expended in isolating and containing the breach. This
is in stark contrast to the apathy of South Africans towards their
vulnerability, as the costs cited in the survey are from actual data breaches.

The State of Endpoint Security Today, sponsored by Sophos, reports that, for South Africa, the median
total cost of a ransomware attack was R1.6m (extending beyond ransom, includes
downtime, manpower, device cost, network costs and lost opportunities).

The statistics
detailed above all point to an evolving technological environment, where
cybercriminals are continuously finding new exploit tactics which, when
deployed, could cripple a company. The strong emphasis on good corporate
governance worldwide dictates that strong risk management measures need to be
implemented to protect organisations against cyberattacks. Given the
significant costs associated with these attacks, it is imperative that cyber
insurance be considered as a risk transfer mechanism, as a component of a
comprehensive risk management programme which includes a cyber security
framework.

Camargue
Underwriting Managers (Pty) Limited (“Camargue”) has been underwriting cyber
insurance since 2011. The Camargue cyber product provides comprehensive
coverage, not only in respect of third party liability emanating from data
breaches (whether it be from customers whose confidential information has been
compromised, or from the regulator, as a result of the data breach), or viruses
inadvertently transmitted by the Insured to a third party. In addition, the policy
also provides crisis management and customer support, along with credit
monitoring, in the event of a data breach. First party coverage includes data
recovery and loss of business income coverage, because of a first party event
emanating from a security breach, computer virus or malicious code, failure of
a computer network, programming error of delivered programs, or damage to data.
The policy offers errors & omissions coverage for companies rendering
information technology services and advice.

The Camargue
Cyber Attack Plus (CCAP) product was launched during 2017. This product not
only covers the exposures detailed above, but further extends to cover property
damage and bodily injury. Industries requiring this coverage include energy,
oil and gas, critical infrastructure, utilities, mining, distribution,
logistics, manufacturing, transportation and heavy industry.

Over and above
the policy coverage, Camargue provides risk management services such as
automated vulnerability assessments, private arbitration as well as contract
vetting, to assist Insureds with a multi-pronged risk management approach.

More News Stories

August 10, 2018

Hugh Harris, Whitehall Court Insurance, qualified to represent Team GB at the ITU Multisport World Championships this July, having placed 2nd in the Under 25s at a qualifying event in February 2018. With the support of Camargue, Kuda, Wickhams Retreat & Whitehall Court Insurance.